✨ Add restore_point functionality to Meetups

- 💾 Introduced `restore_point` JSON column in `meetups` table for saving and restoring master data.
- 🛠️ Added methods `captureRestorePoint` and `restoreFromRestorePoint` to `Meetup` model for managing restore points.
- 🔒 Implemented authorization for updating meetups via `updateViaPortal` policy to include pivot members.
- 🔗 Created Artisan commands `meetups:snapshot` and `meetups:restore` for managing restore points from CLI.
- 🚦 Added rate limiter to restrict excessive update attempts in Livewire meetup editing.
- ✅ Developed exhaustive feature tests for snapshot and restore actions, portal editing rules, and rate limiting.

tests/Feature/Api/MeetupWriteApiTest.php

@@ -58,6 +58,18 @@ it('forbids updating someone elses', function () {
     ])->assertForbidden();
 });
 
+it('forbids updating as a pivot member who is not the creator', function () {
+    $owner = User::factory()->create();
+    $meetup = Meetup::factory()->create(['created_by' => $owner->id]);
+
+    Sanctum::actingAs($member = User::factory()->create());
+    $meetup->users()->attach($member);
+
+    $this->patchJson('/api/meetup/'.$meetup->id, [
+        'name' => 'Plan B Lugano',
+    ])->assertForbidden();
+});
+
 it('returns only own in mine index', function () {
     Sanctum::actingAs($user = User::factory()->create());
     $other = User::factory()->create();

tests/Feature/Meetups/EditMeetupTest.php

@@ -4,6 +4,7 @@ use App\Models\City;
 use App\Models\Country;
 use App\Models\Meetup;
 use App\Models\User;
+use Illuminate\Support\Facades\RateLimiter;
 use Livewire\Livewire;
 
 beforeEach(function () {
@@ -62,7 +63,26 @@ it('allows update when name is unchanged (Rule::unique ignores own id)', functio
         ->assertHasNoErrors();
 });
 
-it('blocks updateMeetup when the user is not the creator', function () {
+it('allows updateMeetup for a member of the meetup_user pivot who is not the creator', function () {
+    $member = actingAsUser();
+    $meetup = Meetup::factory()->create([
+        'city_id' => $this->city->id,
+        'name' => 'Original Name',
+        'created_by' => User::factory()->create()->id,
+    ]);
+    $meetup->users()->attach($member);
+
+    Livewire::test('meetups.edit', ['meetup' => $meetup])
+        ->set('name', 'Updated By Member')
+        ->set('city_id', $this->city->id)
+        ->set('community', 'einundzwanzig')
+        ->call('updateMeetup')
+        ->assertHasNoErrors();
+
+    expect($meetup->refresh()->name)->toBe('Updated By Member');
+});
+
+it('blocks updateMeetup when the user is neither creator nor pivot member', function () {
     actingAsUser();
     $meetup = Meetup::factory()->create([
         'city_id' => $this->city->id,
@@ -76,6 +96,29 @@ it('blocks updateMeetup when the user is not the creator', function () {
     expect($meetup->refresh()->name)->toBe('Original Name');
 });
 
+it('blocks updateMeetup after exceeding the hourly rate limit', function () {
+    $creator = actingAsUser();
+    $meetup = Meetup::factory()->create([
+        'city_id' => $this->city->id,
+        'name' => 'Original Name',
+        'created_by' => $creator->id,
+    ]);
+    $meetup->users()->attach($creator);
+
+    for ($i = 0; $i < 10; $i++) {
+        RateLimiter::hit(Meetup::updateRateLimitKey($creator->id), 3600);
+    }
+
+    Livewire::test('meetups.edit', ['meetup' => $meetup])
+        ->set('name', 'Updated Name')
+        ->set('city_id', $this->city->id)
+        ->set('community', 'einundzwanzig')
+        ->call('updateMeetup')
+        ->assertHasErrors(['rateLimit']);
+
+    expect($meetup->refresh()->name)->toBe('Original Name');
+});
+
 it('redirects guests when accessing meetup-edit', function () {
     $meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
 

tests/Feature/Meetups/MeetupRestorePointTest.php

@@ -0,0 +1,84 @@
+<?php
+
+use App\Models\City;
+use App\Models\Country;
+use App\Models\Meetup;
+
+beforeEach(function () {
+    $country = Country::factory()->create(['code' => 'de']);
+    $this->city = City::factory()->create(['country_id' => $country->id]);
+});
+
+it('snapshots the current master data of all meetups', function () {
+    $meetup = Meetup::factory()->create([
+        'city_id' => $this->city->id,
+        'name' => 'Einundzwanzig Cham',
+    ]);
+
+    $this->artisan('meetups:snapshot')
+        ->expectsOutputToContain('Restore points saved for 1 meetups.')
+        ->assertSuccessful();
+
+    $restorePoint = $meetup->refresh()->restore_point;
+    expect($restorePoint['attributes']['name'])->toBe('Einundzwanzig Cham')
+        ->and($restorePoint['captured_at'])->not->toBeNull();
+});
+
+it('snapshots a single meetup by id', function () {
+    $meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
+    $other = Meetup::factory()->create(['city_id' => $this->city->id]);
+
+    $this->artisan('meetups:snapshot', ['meetup' => $meetup->id])
+        ->assertSuccessful();
+
+    expect($meetup->refresh()->restore_point)->not->toBeNull()
+        ->and($other->refresh()->restore_point)->toBeNull();
+});
+
+it('restores master data from the restore point', function () {
+    $meetup = Meetup::factory()->create([
+        'city_id' => $this->city->id,
+        'name' => 'Einundzwanzig Cham',
+        'community' => 'einundzwanzig',
+        'telegram_link' => 'https://t.me/original',
+    ]);
+
+    $this->artisan('meetups:snapshot', ['meetup' => $meetup->id])->assertSuccessful();
+
+    $meetup->update([
+        'name' => 'Vandalized Name',
+        'community' => 'other',
+        'telegram_link' => 'https://t.me/spam',
+    ]);
+
+    $this->artisan('meetups:restore', ['meetup' => $meetup->id])
+        ->expectsOutputToContain('restored from restore point')
+        ->assertSuccessful();
+
+    $meetup->refresh();
+    expect($meetup->name)->toBe('Einundzwanzig Cham')
+        ->and($meetup->community)->toBe('einundzwanzig')
+        ->and($meetup->telegram_link)->toBe('https://t.me/original');
+});
+
+it('fails to restore when no restore point exists', function () {
+    $meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
+
+    $this->artisan('meetups:restore', ['meetup' => $meetup->id])
+        ->expectsOutputToContain('has no restore point')
+        ->assertFailed();
+});
+
+it('fails to restore an unknown meetup', function () {
+    $this->artisan('meetups:restore', ['meetup' => 999999])
+        ->expectsOutputToContain('not found')
+        ->assertFailed();
+});
+
+it('does not allow mass-assigning the restore point via update', function () {
+    $meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
+
+    $meetup->update(['restore_point' => ['attributes' => ['name' => 'Hacked']]]);
+
+    expect($meetup->refresh()->restore_point)->toBeNull();
+});